CrowdStrike Intelligence Report

Transcription

CrowdStrike
Intelligence
Report
Putter Panda
Crowdstrike Global Intelligence Team
This report is part of the series of technical and strategic reporting available to CrowdStrike Intelligence subscribers. It is being released publicly
to expose a previously undisclosed PLA unit involved in cyberespionage against Western technology companies.
In May 2014, the U.S. Department of Justice charged five Chinese nationals for economic espionage against U.S.
corporations. The five known state actors are officers in Unit 61398 of the Chinese People’s Liberation Army (PLA). In
response, the Chinese government stated that the claims were “absurd” and based on “fabricated facts”. China then went
even further, stating “The Chinese government, the Chinese military and their relevant personnel have never engaged or
participated in cyber theft of trade secrets.”
We believe that organizations, be they governments or corporations, global or domestic, must keep up the pressure and hold
China accountable until lasting change is achieved. Not only did the U.S. Government offer in its criminal indictment the
foundation of evidence designed to prove China’s culpability in electronic espionage, but also illustrated that the charges
are only the tip of a very large iceberg. Those reading the indictment should not conclude that the People’s Republic of
China (PRC) hacking campaign is limited to five soldiers in one military unit, or that they solely target the United States
government and corporations. Rather, China’s decade-long economic espionage campaign is massive and unrelenting.
Through widespread espionage campaigns, Chinese threat actors are targeting companies and governments in every
part of the globe.
At CrowdStrike, we see evidence of this activity first-hand as our services team conducts Incident Response investigations
and responds to security breaches at some of the largest organizations around the world. We have first-hand insight into the
billions of dollars of intellectual property systematically leaving many of the largest corporations - often times unbeknownst
to their executives and boards of directors.
The campaign that is the subject of this report further points to espionage activity outside of Unit 61398, and reveals
the activities of Unit 61486. Unit 61486 is the 12th Bureau of the PLA’s 3rd General Staff Department (GSD) and is
headquartered in Shanghai, China. The CrowdStrike Intelligence team has been tracking this particular unit since 2012,
under the codename PUTTER PANDA, and has documented activity dating back to 2007. The report identifies Chen Ping,
aka cpyy, and the primary location of Unit 61486.
This particular unit is believed to hack into victim companies throughout the world in order to steal corporate trade
secrets, primarily relating to the satellite, aerospace and communication industries. With revenues totaling $189.2 billion
in 2013, the satellite industry is a prime target for espionage campaigns that result in the theft of high-stakes intellectual
property. While the gains from electronic theft are hard to quantify, stolen information undoubtedly results in an improved
competitive edge, reduced research and development timetables, and insight into strategy and vulnerabilities of the
targeted organization.
Parts of the PUTTER PANDA toolset and tradecraft have been previously documented, both by CrowdStrike, and in open
source, where they are referred to as the MSUpdater group. This report contains details on the tactics, tools, and techniques
used by PUTTER PANDA, and provides indicators and signatures that can be leveraged by organizations to protect
themselves against this activity. Our Global Intelligence Team actively tracks and reports on more than 70 espionage groups,
approximately half of which operate out of China and are believed to be tied to the Chinese government. This report is part
of our extensive intelligence library and was made available to our intelligence subscribers in April 2014, prior to the
US Government’s criminal indictment and China’s subsequent refusal to engage in a constructive dialog.
Targeted economic espionage campaigns compromise technological advantage, diminish global competition, and ultimately
have no geographic borders. We believe the U.S. Government indictments and global acknowledgment and awareness
are important steps in the right direction. In support of these efforts, we are making this report available to the public to
continue the dialog around this ever-present threat.
George Kurtz
President/CEO & Co-Founder, CrowdStrike
Table of
Contents:
Executive summary....................................................................................................................... 4
Key Findings........................................................................................................................................ 5
attribution....................................................................................................................................... 7
C2 Indicators................................................................................................................................... 8
Targeting....................................................................................................................................... 10
Connections to Other Adversary Groups.................................................................................. 11
“CPYY”................................................................................................................................................ 12
711 Network Security Team......................................................................................................... 16
Military Connections.................................................................................................................... 17
Unit 61486.......................................................................................................................................... 20
Binary Indicators.......................................................................................................................... 24
conclusions................................................................................................................................... 25
TECHNICAL ANALYSIS...................................................................................................................... 27
3PARA RAT.......................................................................................................................................... 28
PNGDOWNER.................................................................................................................................... 33
HTTPCLIENT......................................................................................................................................... 34
DROPPERS - RC4 AND XOR BASED.................................................................................................. 35
MITIGATION & REMEDIATION........................................................................................................... 38
REGISTRY ARTIFACTS.......................................................................................................................... 39
FILE SYSTEM ARTIFACTS...................................................................................................................... 39
HOST INDICATORS.............................................................................................................................. 39
YARA Rules.................................................................................................................................... 40
NETWORK SIGNATURES...................................................................................................................... 44
Snort Rules.................................................................................................................................. 44
TTPS..................................................................................................................................................... 46
Conclusion................................................................................................................................... 48
APPENDIX 1: 4H RAT SAMPLE METADATA........................................................................................ 50
APPENDIX 2: 3PARA RAT SAMPLE METADATA.................................................................................. 53
APPENDIX 3: PNGDOWNER SAMPLE METADATA............................................................................. 54
APPENDIX 4: HTTPCLIENT SAMPLE METADATA................................................................................. 57
CrowdStrike Falcon Intelligence........................................................................................... 58
CrowdStrike Falcon................................................................................................................... 59
About CrowdStrike...................................................................................................................... 60
2
Executive Summary
EXECUTIVE SUMMARY
CrowdStrike has been tracking the activity of a cyber espionage group operating out of Shanghai,
China, with connections to the People’s Liberation Army Third General Staff Department (GSD) 12th
Bureau Military Unit Cover Designator (MUCD) 61486, since 2012. The attribution provided in this report
points to Chen Ping, aka cpyy (born on May 29, 1979), as an individual responsible for the domain
registration for the Command and Control (C2) of PUTTER PANDA malware. In addition to cpyy, the
report identifies the primary location of Unit 61486.
PUTTER PANDA is a determined adversary group, conducting intelligence-gathering operations
targeting the Government, Defense, Research, and Technology sectors in the United States, with
specific targeting of the US Defense and European satellite and aerospace industries. The PLA’s GSD
Third Department is generally acknowledged to be China’s premier Signals Intelligence (SIGINT)
collection and analysis agency, and the 12th Bureau Unit 61486, headquartered in Shanghai,
supports China’s space surveillance network.
Domains registered by Chen Ping were used to control PUTTER PANDA malware. These domains were
registered to an address corresponding to the physical location of the Shanghai headquarters of
12th Bureau, specifically Unit 61486. The report illuminates a wide set of tools in use by the actors,
including several Remote Access Tools (RATs). The RATs are used by the PUTTER PANDA actors to
conduct intelligence-gathering operations with a significant focus on the space technology sector.
This toolset provides a wide degree of control over a victim system and can provide the
opportunity to deploy additional tools at will. They focus their exploits against popular productivity
applications such as Adobe Reader and Microsoft Office to deploy custom malware through
targeted email attacks.
This report contains additional details on the tactics, tools, and techniques used by PUTTER PANDA,
and provides indicators and signatures that can be leveraged by organizations to protect
themselves against this activity.
4
KEY FINDINGS
➔ Putter Panda is a cyber espionage
actor that conducts operations from
Shanghai, China, likely on behalf of
the Chinese People’s Liberation Army
(PLA) 3rd General Staff Department
12th Bureau Unit 61486. This unit is
supports the space based signals
intelligence (SIGINT) mission.
➔ The 12th Bureau Unit 61486,
headquartered in Shanghai, is widely
accepted to be China’s primary
SIGINT collection and analysis
agency, supporting China’s space
surveillance network.
➔ This is a determined adversary
group, conducting intelligencegathering operations targeting the
Government, Defense, Research,
and Technology sectors in the
United States, with specific
targeting of space, aerospace,
and communications.
➔ The group has been operating since
at least 2007 and has been observed
heavily targeting the US Defense and
European satellite and aerospace
industries.
➔ They focus their exploits against
popular productivity applications
such as Adobe Reader and Microsoft
Office to deploy custom malware
through targeted email attacks.
➔ CrowdStrike identified Chen Ping,
aka cpyy, a suspected member of
the PLA responsible for procurement
of the domains associated with
operations conducted by Putter
Panda.
➔ There is infrastructure overlap with
Comment Panda, and evidence
of interaction between actors tied
to both groups.
5
Attribution
Attribution
There are several pieces of evidence
to indicate that the activity tracked
by CrowdStrike as PUTTER PANDA is
attributable to a set of actors based
in China, operating on behalf of the
Chinese People’s Liberation Army (PLA).
Specifically, an actor known as cpyy (Chen
Ping) appears to have been involved
in a number of historical PUTTER PANDA
campaigns, during which time he was likely
working in Shanghai within the 12th Bureau,
3rd General Staff Department (GSD).
PUTTER PANDA has several connections to
actors and infrastructure tied to COMMENT
PANDA, a group previously attributed to
Unit 61398 of the PLA.
7
C2 Indicators
Although some of the domains used
for command and control of the tools
described later in this report appear
to be legitimate sites that have been
compromised in some way, many of
them appear to have been originally
registered by the operators. Table
1 shows the domains that appear
to have been registered by these
actors, and the original email address
used where known.
Table 1.
C2 Domains and
Original Registrant
Email Addresses
8
C2 Indicators (cont’d)
The most significant finding is that an actor known as cpyy appears to have registered a significant number
of C2 domains. This actor is discussed in the next section.
Many of the domains have had their registrant information changed, likely in an attempt to obfuscate the
identity of the operators. For instance, several domains originally registered by cpyy had their email address
updated to [email protected] around the end of 2009; for siseau.com the change occurred between
July 2009 and November 2009, and for vssigma.com, the change occurred between August 2009 and
December 2009. Historical registrant information for anfoundation.us, rwchateau.com, and succourtion.org
was not available prior to 2010, but it is likely that these domains were also originally registered to a personally
attributable email account.
Similarly, several domains registered to
[email protected] have had
their registrant email updated during March
2014 (see Table 2).
These registrant changes may indicate
an increased awareness of operational
security (OPSEC) from the PUTTER PANDA
actors. The recent changes to the domains
Table 2. New
Registrant Email
Addresses for
Domains Originally Registered to
mike.johnson_mj@
yahoo.com
shown in Table 2 may indicate that the
operators are preparing new campaigns
that make use of this infrastructure, or they
are attempting to disassociate all these
Although no attributable information was
found on the email addresses associated
with the domains described above (aside
from cpyy and httpchen – see below),
several other domains were found to have been registered by some of these addresses. These are shown
in Table 3, and may be used for command and control of PUTTER PANDA tools. domains from a single email
address, perhaps due to OPSEC concerns or issues with the specific email account.
9
C2 Indicators
(cont’d)
Targeting
The subdomains associated with
these domains via DNS records, along
with some of the domain names
themselves, point to some areas
of interest for the PUTTER PANDA
operators (see also Droppers in the
following Technical Analysis section):
• Space, satellite, and remote
sensing technology (particularly
within Europe);
• Aerospace, especially European
aerospace companies;
• Japanese and European
telecommunications.
It is likely that PUTTER PANDA will
continue to attack targets of
this nature in future intelligencegathering operations.
Table 3. Domains
Associated with
Registrant Emails
Found in PUTTER
PANDA C2 Domains
10
C2 Indicators (cont’d)
The decipherment.net domains resolved to this IP
Connections to Other
Adversary Groups
2013, and the botanict.com domain resolved from 11
COMMENT PANDA
Based on passive DNS records,
several PUTTER PANDA associated
domains have resolved to IP
address 100.42.216.230:
• news.decipherment.net
• res.decipherment.net
• spacenews.botanict.com
• spot.decipherment.net
Additionally, several subdomains of
ujheadph.com resolved to this IP:
• chs.ujheadph.com
• imageone.ujheadph.com
• img.ujheadph.com
• klcg.ujheadph.com
• naimap.ujheadph.com
• neo.ujheadph.com
• newspace.ujheadph.com
• pasco.ujheadph.com
Another subdomain of ujheadph.com has been
observed 2 in connection with distinctive traffic
originating from the 3PARA RAT (described below),
making it probable that this domain is
also associated with PUTTER PANDA.
address from 11 October 2012 to at least 25 February
October 2012 to 24 March 2013.
During part of this timeframe (30 June 2012 - 30
October 2012), a domain associated with COMMENT
PANDA resolved to this same IP address: login.
aolon1ine.com. Additionally, for a brief period in April
2012, update8.firefoxupdata.com also resolved to
this IP address.
The use of the same IP address during the same time
suggests that there is perhaps some cooperation or
shared resources between COMMENT PANDA and
PUTTER PANDA.
VIXEN PANDA
Although not as conclusive as the
links to COMMENT PANDA, IP address
31.170.110.163 was associated
with VIXEN PANDA domain blog.
strancorproduct.info from November to December
2013. In February 2014, this IP address was also
associated with PUTTER PANDA domain ske.hfmforum.
com. While not directly overlapping, this potential
infrastructure link is interesting, as VIXEN PANDA has
previously displayed TTPs similar to COMMENT PANDA
(other CrowdStrike reporting describes VIXEN PANDA
malware that extracts C2 commands embedded
between delimiters in web content), and has
extensively targeted European entities.
See http://webcache.googleusercontent.com/search?q=cache:ZZyfzC1Y0UoJ:www.urlquery.net/report.
php%3Fid%3D9771458+&cd=2&hl=en&ct=clnk&gl=uk
2
11
“CPYY”
Several email addresses have been associated with cpyy, who also appears to use the alternate handles
cpiyy and cpyy.chen:
• [email protected]
The cpyy.net domain lists “Chen Ping” as the registrant name, which may be cpyy’s real name, as this
correlates with the initials “cp” in “cpyy”. A personal blog for cpyy was found at http://cpiyy.blog.163.com/.
The profile on this blog (shown in Figure 2 below) indicates that the user is male, was born on 25 May 1979,
and works for the “military/police” (其他- 军人/警察).
Figure 2. cpyy
Personal Blog on
163.com
12
“CPYY” (cont’d)
This blog contains two postings in the “IT” category that indicate at least a passing interest in the topics of
networking and programming. A related CSDN profile for user cpiyy indicates that cpyy was working on or
studying these topics in 2002 and 20033.
Another personal blog for cpyy (http://www.tianya.cn/1569234/bbs) appears to have last been updated in
2007. This states that the user lives in Shanghai, and has a birthdate identical to that in the 163.com blog.
cpyy was also active on a social networking site called XCar, stating that he lived in Shanghai as early as
2005 through 2007; he said in a post, “Soldier’s duty is to defend the country, as long as our country is safe,
our military is excellent”4 , indicating a feeling of patriotism that could be consistent with someone who
chose a military or police-based career.
Figure 3. cpyy
Personal Blog on
tianya.cn
See postings: http://bbs.csdn.
net/users/cpiyy/topics
4
hxxp://www.xcar.com.
cn/bbs/viewthread.
php?tid=7635725&page=6
3
13
On the XCar forum, cpyy.chen used a subforum
called POLO (hacker slang for “Volkswagen cars”)
to communicate with other users Linxder, peggycat,
“Naturally do not understand romance” (天生不懂浪漫),
“a wolf” (一只大灰狼), “large tile” (大瓦片), “winter” (
冬夜), “chunni” (春妮), papaya, kukuhaha, Cranbing,
“dusty sub” (多尘子), z11829, “ice star harbor” (冰星港),
“polytechnic Aberdeen” (理工仔), “I love pineapple
pie” (我爱菠罗派), and “she’s distant” in 2007. Although
superficially the discussion is about cars, there is a
repeated word in the text, “milk yellow package” or
“custard package” or “yoke package” (奶黄包). This
could be a hacker slang word, but it is unclear as to the
definition. The conversation alludes to Linxder being the
“teacher” or “landlord” and the other aforementioned
users are his “students”. Linxder references how he has
“found jobs” for them. It is possible that this is a reference
to hacking jobs wrapped up in car metaphors.
Linxder is the handle of an actor associated with
the likely Shanghai-based COMMENT PANDA group5
. Linxder, cpyy, and xiaobai have all discussed
programming and security related topics on cpyy’s site,
cpyy.org6 , which hosted a discussion forum for the 711
Network Security Team (see below).
cpyy also appears to have a keen interest in
photography; his 163.com blog includes several
photographs taken by cpyy in the blog postings and
albums section. Some of these photographs also appear
in a Picasa site7 (examples are shown in Figures 5 and 6)
belonging to a user cpyy.chen.
Figure 4. cpyy.chen,
from 2005, 2006,
and 2007
(left to right)
An album in this site named “me” has several shots of
what is likely cpyy himself, from 2005, 2006, and 2007,
shown to the right:
14
An account on rootkit.com, a popular low-level software security site, existed for user cpyy and was accessed
in at least May 2004. This account was registered with primary email address [email protected] and backup email
address [email protected]; it listed a date of birth as 24 May 1979, consistent with cpyy’s other profiles. The
IP address 218.242.252.214 was associated with this account; it is owned by the Oriental Cable Network Co.,
Ltd., an ISP located in Shanghai. Registration on this forum shows that cpyy had an interest in security-related
programming topics, which is backed up by the postings on his personal blog and CSDN account.
Figure 5. Sample
Photograph from
cpyy.chen’s
Picasa Albums
Figure 6. Example
Photograph from
163.com Blog
15
711 Network Security Team
One of the sites registered to cpyy was used to host a web-based email service, along with a forum on www.
cpyy.net. Both of these services were apparently run by the 711 Network Security Team (711网络安全小组), a
group that is now likely defunct, but has previously published security-based articles that have been re-posted
on popular Chinese hacking sites such as xfocus.net8.
One of these articles, entitled “IMD-based packet
filtering firewall to achieve the principles”9, is
Figure 7. httpchen
Posting on SJTU
“GRATEFUL” BBS
apparently authored by xiaobai, with email address
[email protected]; it was published on
the “GRATEFUL” (饮水思源) security digest list10 that
is hosted by Shanghai Jiao Tong University (SJTU).
This digest list/bulletin board was also frequented
by ClassicWind, an actor possibly linked to the
Shanghai-based, PLA-sponsored adversary group
COMMENT PANDA, as described in. This Tipper also
indicates that “the Chinese Communist Party (CCP)
and the People’s Liberation Army (PLA) aggressively
target SJTU and its School of Information Security
Engineering (SISE) as a source of research and
student recruitment to conduct network offense
and defense campaigns”, so it is possible that the
711 Network Security Team members came to the
attention of the Chinese state via this institution.
An additional connection to SJTU comes from
a C2 domain, checalla.com, used with the 4H RAT in 2008. This domain was registered to httpchen@gmail.
com at the time, and this address was also used to make a posting on the GRATEFUL BBS (shown in Figure 7).
The posting indicates that httpchen is located at the 闵行 (Minhang) campus of SJTU and was posting using
IP address 58.196.156.15, which is associated with the China Education and Research Network (CERNET), a
nationwide network managed by the Chinese Ministry of Education. It also states that httpchen is studying at
the school of Information Security Engineering within SJTU.
For example, hxxp://www.xfocus.net/articles/200307/568.html
This article also lists http://cpyy.vicp.net/ as the original source site, although no archived content could be recovered for this.
10
See http://bbs.sjtu.edu.cn/bbsanc,path,/groups/GROUP_3/Security/D44039356/D69C6D2AC/D4C11F438/D6DB67E4E/DA69FF663/
M.1052844461.A.html
8
9
16
Military Connections
Several pieces of evidence indicate that cpyy probably has connections to, or is part of, the Chinese military
– specifically the PLA Army. In addition to his declaration on his personal blog that he works for the “military/
police”, and contacts with actors such as Linxder that have been previously associated with hacking units
within the PLA, cpyy’s Picasa site contains several photographs that hint at military connections.
First, a monochrome picture from
the 大学时代 (“college”) album
posted in February 2007 shows
several uniformed individuals:
It is not clear whether this picture
includes cpyy, or just friends/
associates/relatives.
A picture from the 中学时代
(“high school”) album posted in
February 2007 shows a male –
likely cpyy based on the clothing
shown in the second picture,
which matches the pictures of
cpyy shown above – performing
exercise in front of a group of
likely soldiers and an officer:
17
Although somewhat unclear, pictures from the album 2002年的生日 (“2002 birthday”), also posted in
February 2007, show the celebrant (likely cpyy) in khaki clothes that are possibly military wear.
The most compelling pictures,
however, are found in the 宿舍
and 办公室 albums (“dormitory”
and “office”). A shot of probably
cpyy’s dormitory room shows in the
background two military hats that
appear to be Type 07 PLA Army
officer peak hats:
18
This album also contains a shot of the exterior of a building with several large satellite dishes outside:
This same building and the
satellite dishes also appear
in the “office” album. The
reflection effects observed
on the windows of this
building could be due to
coatings applied to resist
eavesdropping via laser
microphones and to increase
privacy, which would be
consistent with a military
installation conducting
sensitive work.
19
Above is an image from the same album of what appears to be a larger dish, in front of the Oriental Pearl
Tower, a significant landmark in Shanghai:
UNIT 61486
As mentioned above, checalla.com was used for command and control with the PUTTER PANDA 4H RAT in
2008. This domain was registered to [email protected], and in May 2009 the domain registration details
were updated to include a Registrant Address of “shanghai yuexiulu 46 45 202#”. A search for this location
reveals an area of Shanghai shown in Figure 812 .
Figure 9 shows an enlargement of satellite imagery from within this area, depicting a facility containing
several satellite dishes within green areas, sports courts and a large office building.
Source: https://www.google.com/maps/place/31%C2%B017’18.0%22N+121%C2%B027’18.7%22E/@31.2882939,121.4554673,658m/
data=!3m1!1e3!4m2!3m1!1s0x0:0x0
12
20
Figure 8. Map and
Satellite Views of
Area of Interest in
Shanghai
Figure 9. Enlarged
Section within
Area of Interest
21
Satellite imagery from 2009 showing another aspect of this office building, along with a likely vantage point
and direction of camera, alongside probably cpyy’s photograph from the same angle, is shown in Figure 10:
Figure 10. Satellite
Imagery of Facility
Alongside Handheld
Image from cpyy
Based on the Shanghai location, and common features, it is highly likely that the location shown above
is the same as that photographed by cpyy and shown in the “office” and “dormitory” albums. Further
confirmation can be found from photos uploaded by a user on Panoramio13 who tags the image as being
located in Chabei14 , Shanghai, China (31° 17’ 18.86” N 121° 27’ 9.83” E). This image is exceptionally similar
to building shown in cpyy’s “office” album (see Figure 11 below).
http://www.panoramio.com/user/3305909
Alternately Romanized as Zhabei
13
14
22
Figure 11. Panoramio
(left) and cpyy
Images Compared
According to a public report15 on the Chinese PLA’s General Staff Department (GSD), the 12th Bureau of
the 3rd GSD is headquartered in the Zhabei district of Shanghai and “appears to have a functional mission
involving satellites, likely inclusive of intercept of satellite communications and possibly space-based SIGINT
collection”. The same report also lists a Military Unit Cover Designator (MUCD) of 61486 for this bureau.
A webpage16 published on a Chinese government site detailing theatrical performances involving members
of the PLA lists an address of “闸北区粤秀路46号” (46 Yue Xiu Road, Zhabei District) for “总参61486部队” (61486
Forces General Staff). A search for this location shows an identical area to that shown in Figure 8.
It can therefore be concluded with high confidence that the location shown in cpyy’s imagery, along
with the satellite images above, is the headquarters of the 12th Bureau, 3rd GSD, Chinese PLA – also
known as Unit 61486. This unit’s suspected involvement in “space surveillance”17 and “intercept of satellite
communications” fits with their observed targeting preferences for Western companies producing
technologies in the space and imaging/remote sensing sectors. The size and number of dishes present in
the area is also consistent with these activities.
http://project2049.net/documents/pla_third_department_sigint_cyber_stokes_lin_hsiao.pdf
http://www.dfxj.gov.cn/xjapp/wtzyps/wtlzy/wyyjysl/zhc/zyc/bd01d910153ffb4d0115a7c12f70042e.html
17
http://project2049.net/documents/china_electronic_intelligence_elint_satellite_developments_easton_stokes.pdf
15
16
23
Binary indicators
Observed build times for the PUTTER PANDA tools described in this report range from 2007 to late 2013,
indicating that the actors have conducted several campaigns against their objectives over a period of
several years. A build time analysis of all known samples is shown in Figure 1 below, relative to China time.
Figure 1. Build
Time Analysis of
PUTTER PANDA
Malware, Relative
to China Time
(UTC+8)
Although this shows that there is some bias in the build time distribution to daylight or working hours in China, which
is more significant if a possible three-shift system of hours is considered (0900-1200, 1400-1700, and 2000-2300), this
evidence is not conclusive. There is also some evidence that build times are manipulated by the adversary; for
example, the sample with MD5 hash bc4e9dad71b844dd3233cfbbb96c1bd3 has a build time of 18 July 2013, but was
supposedly first submitted to VirusTotal on 9 January 2013. This shows that the attackers – at least in 2013 – were aware
of some operational security considerations and were likely taking deliberate steps to hide their origins.
24
Conclusions
There is strong evidence to tie cpyy, an actor who
appears to have been involved in historical PUTTER
PANDA operations, to the PLA army and a location in
Shanghai that is operated by the 12th Bureau, 3rd GSD
of the PLA (Unit 61486). Another actor tied to this activity,
httpchen, has declared publically that he was attending
the School of Information Security Engineering at SJTU.
This university has previously been posited as a recruiting
ground for the PLA to find personnel for its cyber
intelligence gathering units, and there is circumstantial
evidence linked cpyy to other actors based at SJTU.
Given the evidence outlined above, CrowdStrike
attributes the PUTTER PANDA group to PLA Unit 61486
within Shanghai, China with high confidence. It is likely
that this organization is staffed in part by current or
former students of SJTU, and shares some resources and
direction with PLA Unit 61398 (COMMENT PANDA).
25
Technical Analysis
Technical Analysis
Several RATs are used by PUTTER PANDA. The most common of these, the 4H
RAT and the 3PARA RAT, have been documented previously by CrowdStrike
in previous CrowdStrike Intelligence reporting. This analysis will be revisited
below, along with an examination of two other PUTTER PANDA tools:
pngdowner and httpclient. Two droppers have been associated with the
PUTTER PANDA toolset; these are also briefly examined below.
4H RAT – EXAMPLE MD5 HASH
A76419A2FCA12427C887895E12A3442B
This RAT was first analyzed by CrowdStrike in April 2012, but a historical analysis shows that it has been in
use since at least 2007 by the PUTTER PANDA actors. A listing of metadata for known samples, including C2
Screenshot of Truecaller
information, is shown in Appendix 1.
Database Shared by
DEADEYE JACKAL on Their
The operation of this RAT is described in detail in other CrowdStrike reporting, but isTwitter
usefulAccount
to revisit
here to
(names
highlight the characteristics of the RAT:
redacted)
• C2 occurs over HTTP, after connectivity has been verified by making a distinctive request (to the URI /
search?qu= at www.google.com).
• A victim identifier is generated from the infected machine’s hard disk serial number, XOR’ed with the key
ldd46!yo , and finally nibble-wise encoded as upper-case ASCII characters in the range (A-P) – e.g., the
byte value 0x1F becomes “BP”.
• A series of HTTP requests characterizes the RAT’s C2. The initial beacon uses a request with four parameters
(h1, h2, h3, and h4) – as shown in Figure 8 – to register the implant with the C2 server.
• Communication to and from the C2 server is obfuscated using a 1-byte XOR with the key 0xBE.
• The commands supported by the RAT enable several capabilities, including:
o Remote shell
o
Listing of running processes (including loaded modules)
o Process termination (specified by PID)
o File and directory listing
o File upload, download, deletion, and timestamp modification
27
Figure 8. 4H RAT
Example Beacon
Database Shared by
Figure 9. Sample
Python Code to
redacted)
Decode Hostname
from User-Agent
Snippet
Twitter Account (names
3PARA RAT – EXAMPLE MD5 HASH
BC4E9DAD71B844DD3233CFBBB96C1BD3
The 3PARA RAT was described in some detail in other CrowdStrike reporting, which
examined a DLL-based sample with an exported filename of ssdpsvc.dll. Other
observed exported filenames are msacem.dll and mrpmsg.dll, although the RAT has
also been observed in plain executable (EXE) format.
On startup, the RAT attempts to create a file mapping named
&*SDKJfhksdf89*DIUKJDSF&*sdfsdf78sdfsdf. This is used to prevent multiple instances of
the RAT being executed simultaneously. The RAT will then use a byte-wise subtractionbased algorithm (using a hard-coded modulo value) to decode C2 server details
consisting of a server hostname and port number, in this example nsc.adomhn.
com, port 80. The decoding algorithm is illustrated in Figure 10 below. The key and
modulo values vary on a per-sample basis. Decoded C2 settings, along with sample
metadata, are listed in Appendix 2.
28
The RAT is programmed in C++ using Microsoft Visual Studio, and it makes use of the
object-oriented and parallel programming features of this environment; Standard
Template Library (STL) objects are used to represent data structures such as strings and
lists, and custom objects are used to represent some of the C2 command handlers
(e.g., CCommandCMD). Several threads are used to handle different stages of the
C2 protocol, such as receiving data from the server, decrypting data, and processing
commands. Standard Windows primitives such as Events are used to synchronize
across these threads, with a shared global structure used to hold state.
Figure 10. Sample
Python Code Illustrating C2 Server
Decoding Routine
Once running, the RAT will load a binary representation of a date/time value13 from
a
Screenshot
of Truecaller
file C:\RECYCLER\restore.dat, and it will sleep until after this date/time has passed.Database
This
Shared by
provides a mechanism for the operators to allow the RAT to remain dormant until aDEADEYE JACKAL on Their
fixed time, perhaps to allow a means of regaining access if other parts of their toolset
redacted)
are removed from a victim system.
Figure 11. 3PARA
RAT Initial Beacon
As with the 4H RAT, the C2 protocol used by the 3PARA RAT is HTTP based, using
both GET and POST requests. An initial request is made to the C2 server (illustrated
in Figure 11 above), but the response value is effectively ignored; it is likely that this
request serves only as a connectivity check, as further C2 activity will only occur
if this first request is successful. In this case, the RAT will transmit some basic victim
information to the C2 server along with a 256-byte hash of the hard-coded string
HYF54&%9&jkMCXuiS. It is likely that this request functions as a means to authenticate
the RAT to the C2 server and register a new victim machine with the controller. A
sample request and its structure are shown in Figure 12.
Using the standard Windows SYSTEMTIME structure
13
29
Database Shared by
redacted)
Figure 12. Sample
3PARA RAT Secondary Beacon/
C2 Registration
See http://msdn.microsoft.com/en-us/library/windows/desktop/bb759853(v=vs.85).aspx for details of this API, which is rarely used.
14
30
If this request is also successful, the RAT will attempt to retrieve tasking from the
controller using a further distinctive HTTP request shown in Figure 13, repeating this
request every two seconds until valid tasking is returned.
Database Shared by
redacted)
Figure 13. 3PARA
RAT Sample Tasking
Request
31
Returned tasking is decrypted using the DES algorithm in CBC mode with a key derived from the MD5 hash
of the string HYF54&%9&jkMCXuiS (as used in the secondary beacon shown above). If this fails, the RAT will fall
back to decoding the data using an 8-byte XOR with a key derived from data returned from the HashData API
with the same key string. Output data produced by tasking instructions is encrypted in the same manner as it
was decrypted and sent back to the C2 server via HTTP POST request to a URI of the form /microsoft/errorpost/
default.aspx?ID=, where the ID value is a random number in decimal representation – as with the initial request
shown in Figure 4.
The set of commands supported by the RAT is somewhat limited, indicating that perhaps the RAT is intended
to be used as a second-stage tool, or as a failsafe means for the attackers to regain basic access to a
compromised system (which is consistent with its support for sleeping until a certain date/time). Some of the
supported commands are implemented using C++ classes derived from a base CCommand class:
•C
CommandAttribe – Retrieve metadata for files on disk, or set certain attributes such as creation/
modification timestamps.
• CCommandCD – Change the working directory for the current C2 session.
•C
CommandCMD – Execute a command, with standard input/output/error Screenshot of Truecaller
redirected over the C2 channel.
Database Shared by
• CCommandNOP – List the current working directory.
redacted)
However, other commands are not implemented in this way. These other commands
contain functionality to:
• Pause C2 activity for a random time interval.
• Shutdown C2 activity and exit.
•P
rovide a date and time before which beaconing will not resume, recorded in the file C:\RECYCLER\
restore.dat as noted above.
The use of C++ classes that inherit from a base class to carry out some of the tasking commands, along
with the use of concurrency features, indicates that the developers of the RAT put some thought into the
architecture and design of their tool, although the decision to implement some commands outside of the
class-based framework is curious, and may indicate multiple developers worked on the RAT (or a single
developer with shifting preferences for his coding style).
32
PNGDOWNER – EXAMPLE MD5 HASH
687424F0923DF9049CC3A56C685EB9A5
The pngdowner malware is a simple tool constructed using Microsoft Visual Studio and implemented via single
C++ source code file. This sample contains a PDB path of Y:\Visual Studio 2005\Projects\branch-downer\
downer\Release\downer.pdb, but other similar paths Z:\Visual Studio 2005\Projects\pngdowner\Release\
pngdowner.pdb and Z:\Visual Studio 2005\Projects\downer\Release\downer.pdb have also been observed
in other samples. Appendix 3 lists metadata for known pngdowner samples.
Initially, the malware will perform a connectivity check to a hard-coded URL (http://www.microsoft.com),
using a constant user agent Mozilla/4.0 (Compatible; MSIE 6.0;). If this request fails, the malware will attempt to
extract proxy details and credentials from Windows Protected Storage, and from the IE Credentials Store using
publicly known methods15 , using the proxy credentials for subsequent requests if they enable outbound HTTP
access. An initial request is then made to the hard-coded C2 server and initial URI – forming a URL of the form
(in this sample) http://login.stream-media.net/files/xx11/index.asp?95027775, where the numerical parameter
of Truecaller
represents a random integer. A hard-coded user agent of myAgent is used for thisScreenshot
request, and
subsequent
Database Shared by
communication with the C2 server.
Content returned from this request to the C2 server will be saved to a file named index.dat in the user’s
redacted)
temporary directory (i.e., %TEMP%). This file is expected to contain a single line, specifying a URL and a
filename. The malware will then attempt to download content from the specified URL to the filename within
the user’s temporary directory, and then execute this file via the WinExec API. If this execution attempt
succeeds, a final C2 request will be made – in this case to a URL using the same path as the initial request (and
a similarly random parameter), but with a filename of success.asp. Content returned from this request will be
saved to a file, but then immediately deleted. Finally, the malware will delete the content saved from the first
request, and exit.
The limited functionality, and lack of persistence of this tool, implies that it is used only as a simple downloadand-execute utility. Although the version mentioned here uses C++, along with Visual Studios Standard
Template Library (STL), older versions of the RAT (such as MD5 hash b54e91c234ec0e739ce429f47a317313), built
in 2011, use plain C. This suggests that despite the simple nature of the tool, the developers have made some
attempts to modify and perhaps modernize the code. Both versions contain debugging/progress messages
such as “down file success”. Although these are not displayed to the victim, they were likely used by the
developers as a simple means to verify functionality of their code.
33
HTTPCLIENT – EXAMPLE MD5 HASH
544FCA6EB8181F163E2768C81F2BA0B3
Like pngdowner, the httpclient malware is a simple tool that provides a limited range of functionality and uses
HTTP for its C2 channel. This malware also initially performs a connectivity check to www.microsoft.com using
the hard-coded user agent Mozilla/4.0 (Compatible; MSIE 6.0;), although in this variant no attempt is made to
extract proxy credentials.
The malware will then connect to its configured C2 infrastructure (file.anyoffice.info) and perform a HTTP
request of the form shown in Figure 14 below:
Figure 14. HttpClient
Sample Beacon
Database Shared by
redacted)
Content returned from the C2 server is deobfuscated by XOR’ing the content with a single byte, 0x12. The
decoded data is then checked for the string runshell. If this string is not present, the C2 request is repeated
every 0.5 seconds. Otherwise, a shell process is started (i.e., cmd.exe), with input/output redirected over the C2
channel. Shell commands from the server are followed by an encoded string $$$, which indicates that the shell
session should continue. If the session is ended, two other commands are supported: m2b (upload file) and
b2m (download file).
Slight variations on the C2 URLs are used for different phases of the C2 interaction:
• Shell command: /Microsoft/errorpost<random number>/default.asp?tmp=<encoded hostname>
• Shell response: /MicrosoftUpdate/GetUpdate/KB<random number>/default.asp?tmp=<encoded hostname>
Both methods are detailed here: http://securityxploded.com/iepasswordsecrets.php
15
34
Given the lack of a persistence mechanism and low level of sophistication, it is likely that httpclient – like
pngdowner – is used as a second-stage or supplementary/backup tool. Appendix 4 lists metadata for
observed httpclient samples.
DROPPERS – RC4 AND XOR BASED
Other CrowdStrike reporting describes a dropper used by PUTTER PANDA (abc.scr) to install the 4H RAT. This
dropper uses RC4 to decrypt an embedded payload from data in an embedded resource before writing the
payload to disk and executing it. Several instances of this dropper have been observed, most commonly in
association with the 4H RAT, but also in relation to other tools that will be described in forthcoming reporting.
Another dropper has been observed, exclusively installing the pngdowner malware (example MD5 hash
4c50457c35e2033b3a03fcbb4adac7b7). This dropper is simplistic in nature, and is compiled from a single C++
source code file. It contains a Word document in plaintext (written to Bienvenue_a_Sahaja_Yoga_Toulouse.
doc), along with an executable (Update.exe) and DLL (McUpdate.dll). The executable and DLL are both
contained within the .data section of the dropper, obfuscated with a 16-byte XOR key (consisting of the bytes
0xA0 – 0xAF).
Database Shared by
Both the document and executable are written to disk and the executed via the ShellExecute
API (using the
verb “open”). The executable is also installed into the ASEP registry key HKCU\Software\Microsoft\Windows\
redacted)
CurrentVersion\Run, with a value named McUpdate. Finally, the dropper deletes itself via a batch file.
The dropped executable (MD5 hash 38a2a6782e1af29ca8cb691cf0d29a0d) primarily aims to inject
the specified DLL (McUpdate.dll, MD5 hash 08c7b5501df060ccfc3aa5c8c41b452f) into a process that
would normally be accessing the network, likely in order to disguise the malicious activity. Module names
corresponding to Outlook Express (msinm.exe), Outlook (outlook.exe), Internet Explorer (iexplore.exe), and
Firefox (firefox.exe) are used. If Internet Explorer is used, then the malware will attempt to terminate processes
corresponding to two components of Sophos Anti-Virus (SAVAdminService.exe and SavService.exe).
Four examples of these droppers were located, using a mixture of decoy PDF and Microsoft Word documents
(shown below in Figures 15-18). The common theme throughout these documents is space technology
(Bienvenue_a_Sahaja_Yoga_Toulouse.doc does not follow this trend, but could be targeted at workers at the
Toulouse Space Centre, the “largest space centre in Europe” ), indicating that the attackers have a keen
interest in this sector, which is also reflected in the choice of name for some of the C2 domains used (see the
Attribution section above).
The API used expects a parameter of the form char**, and is given a char* pointer to the “*/*” string, but the stack data following this
pointer is not properly zeroed or cleansed before use, leading to uncontrolled memory being read as other strings.
16
35
Figure 15. “Invitation_Pleiades_012012.doc”
Dropped by a4e4b3ceb949e8494968c71fa840a516
Database Shared by
redacted)
Figure 16. “Bienvenue_a_Sahaja_
Yoga_Toulouse.doc”
Dropped by
4c50457c35e2033b3a03fcbb4adac7b7
36
Figure 17. “50th AIAA
Satellite Sciences
Conference.pdf”
from 6022cf1fcf2b478bed8da1fa3e996ac5
Database Shared by
redacted)
Figure 18: “Project-Manager-JobDescription-Surrey-Satellite-Technology-world-leader-provision-small-satellite-solutions.
pdf” Dropped by
9cb6103e9588d506cfd81961ed41eefe
37
Mitigation & Remediation
MITIGATION & REMEDIATION
A number of specific and generic
detection methods are possible for
this RAT, both on a host and on the
network. These are detailed below,
and are designed to expand upon
the indicators reported in other
CrowdStrike reporting.
Database Shared by
REGISTRY ARTIFACTS
redacted)
The following Windows registry artifacts are indicative of a compromised host:
• ASEP registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run, and value named McUpdate
FILE SYSTEM ARTIFACTS
The presence of the following file system artifacts is indicative of a compromised host:
• ssdpsvc.dll, msacem.dll, or mrpmsg.dll
• C:\RECYCLER\restore.dat
• %TEMP%\index.dat
HOST INDICATORS
A file mapping named &*SDKJfhksdf89*DIUKJDSF&*sdfsdf78sdfsdf also indicates the victim machine is
compromised with PUTTER PANDA malware.
39
Yara Rules
40
41
42
43
NETWORK SIGNATURES
In addition the domains listed in the Appendices and in the Attribution section, the generic signatures below
can be used to detect activity from the malware described in this report.
Snort Rules
Database Shared by
redacted)
44
Database Shared by
redacted)
45
TTPS
In addition to the indicators described above, PUTTER PANDA have some distinct generic TTPs:
• Distinctive connectivity checks to www.google.com
• Use of the HashData API to derive key material for authentication and encryption
• Use of the ASEP registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run
• Deployment of space industry-themed decoy documents during malware installations
Database Shared by
redacted)
46
Conclusion
Conclusion
PUTTER PANDA are a determined adversary group who have been operating
for several years, conducting intelligence-gathering operations with a
significant focus on the space sector. Although some of their tools are
simplistic, taken as a whole their toolset provides a wide degree of control
over a victim system and can provide the opportunity to deploy additional
tools at will.
Research presented in this report shows that the PUTTER PANDA operators are
Screenshot(GSD)
of Truecaller
likely members of the 12th Bureau, 3rd General Staff Department
of
Database Shared by
the People’s Liberation Army (PLA), operating from the unit’s
headquarters
DEADEYE
JACKAL on Their
in Shanghai with MUCD 61486. Strategic objectives for this unit
are likely
redacted)
to include obtaining intellectual property and industrial secrets relating to
defense technology, particularly those to help enable the unit’s suspect
mission to conduct space surveillance, remote sensing, and interception of
satellite communications. PUTTER PANDA is likely to continue to aggressively
target Western entities that hold valuable information or intellectual property
relevant to these interests.
The detection and mitigation guidance given in this report will help to
minimize the risk of a successful compromise by these actors, and future
CrowdStrike reports will examine other elements of the PUTTER PANDA toolset.
48
Appendices
APPENDIX 1: 4H RAT SAMPLE METADATA
Database Shared by
redacted)
50
51
52
APPENDIX 2: 3PARA RAT SAMPLE METADATA
Database Shared by
redacted)
53
APPENDIX 3: PNGDOWNER SAMPLE METADATA
Database Shared by
redacted)
54
Database Shared by
redacted)
55
56
APPENDIX 4: HTTPCLIENT SAMPLE METADATA
Database Shared by
redacted)
57
CrowdStrike
Falcon
Intelligence
CrowdStrike Falcon Intelligence portal provides
enterprises with strategic, customized, and actionable
intelligence. Falcon Intelligence enables organizations
to prioritize resources by determining targeted
versus commodity attacks, saving time and focusing
resources on critical threats. With unprecedented
insight into adversary tools, tactics, and procedures
(TTPs) and multi-source information channels, analysts
can identify pending attacks and automatically feed
threat intelligence via API to SIEM and thirdparty
security tools.
Access to CrowdStrike Falcon Intelligence is geared
toward all levels of an organization, from the
executivewho needs to understand the business threat
and strategic business impact, to the front-line securiyt
professional struggling to !ght through an adversary’s
attack against the enterprise.
CrowdStrike Falcon Intelligence is a web-based
intelligence subscription that includes full access to a
variety of feature sets, including:
• Detailed technical and strategic analysis of
50+adversaries’ capabilities, indicators and
tradecra!,attribution, and intentions
Falcon
Intelligence
Benefits
Incorporate Actionable Intelligence
Feeds into your existing enterprise
security infrastructure to identify
advanced attackers speci!c to your
organization and industry
Rapidly integrate Falcon Intelligence
into custom work”ows and SEIM
deployments with a web-based API
Quickly understand the capabilities
and artifacts of targeted attacker
tradecra# with In-depth technical
analysis
Gain visibility into breaking events
that matter to an organization’s
brand, infrastructure, and customers
Interact with the Intelligence team
and leverage customized Cyber
Threat Intelligence feedback during
Quarterly Executive Brie!ngs
Provide malware samples and
receive customized and actionable
intelligence reporting
• Customizable feeds and API for indicators of
compromise in a wide variety of formats
• Tailored Intelligence that provides
visibility into breaking events that matter to
Access the Adversary Pro!le Library
to gain in-depth information into
50+ adversary groups, to include
capabilities and tradecra# and tradecraft
an organization’s brand,
58
CrowdStrike Falcon Host
CrowdStrike Falcon Host is an endpoint threat
detection and response product that identifies
unknown malware, detects zero-day threats, and
prevents damage from targeted attacks in real-time.
Falcon Host is comprised of two core components,
the cloud-based management console and the
on-premises host-based sensor that continuously
monitors threat activity at the endpoint to prevent
damage in real-time.
Falcon Host leverages a lightweight kernel-mode
sensor that shadows, captures, and correlates lowlevel operating system events to instantly identify
the adversary tradecraft and activities through
Stateful Execution Inspection (SEI) at the endpoint
and Machine Learning in the cloud. As opposed
to focusing on malware signatures, indicators of
compromise, exploits, and vulnerabilities, Falcon Host
instead identifies mission objectives of the adversary
leveraging the Kill Chain model and provides realtime
detection by focusing on what the attacker is
doing, as opposed to looking nfor a specific,
easily changeable indicator used in an attack.
Without performing intrusive and performanceimpacting scans of the system, Falcon Host’s highly
efficient real-time monitoring of all system activity
is the only security solution that provides maximum
visibility into all adversary activities, including
Adversary-in-Motion: reconnaissance, exploitation,
privilege escalation, lateral movement, and
exfiltration.
Falcon Host delivers insight into past and current
attacks not only on a single host, but also across
devices and networks.
Falcon Host Key Features
• Endpoint threat detection and response solution
• Cloud-managed application with easily deployed sensors for
Mac & Windows
• Kernel-mode sensors requires no reboot on updates. Less
than 2MB footprint executable
• Detects attacks based on adversary activity
• Integrates with existing security architecture and SIEM tools
through Falcon Host APIs
Technology Drivers:
Stateful Execution inspection
Stateful Execution Inspection (SEI) tracks execution state and
links together various stages of the kill chain, from initial code
execution to data exfiltration.
CrowdStrike’s Real-time Stateful Execution Engine performs
inspection and analysis to understand the full context of a
cyber attack. SEI is critical to understanding the entire
attack life cycle and preventing the damage from advanced
malware and targeted attacks. Existing security technologies
that focus solely on malware signatures, incidators of
compromise, exploits, and vulnerabilities
fail to protect against the majority of attacks as they are blind
to the full scope of adversary activity.
Benefits
• Identify and protect against damage from determined
attackers who are undetected by existing passive
defense solutions
• Understand who is attacking you, why and what they want
to steal or damage
• Alert and stop exfiltration of sensitive information from
compromised machines Protect remote users when they
are outside of the corporate network
• Protect remote users when they are outside of the
corporate network
• No on-premises equipment needed, reducing overall
total cost of ownership
59
About CrowdStrike
CrowdStrike is a global provider of security technology and services focused on
identifying advanced threats and targeted attacks. Using big-data technologies,
CrowdStrike’s next-generation threat protection platform leverages real-time
Stateful Execution Inspection (SEI) at the endpoint and Machine Learning
in the cloud instead of solely focusing on malware signatures, indicators of
compromise, exploits, and vulnerabilities. The CrowdStrike Falcon Platform
is a combination of big data technologies and endpoint security driven by
advanced threat intelligence. CrowdStrike Falcon enables enterprises to identify
unknown malware, detect zero-day threats, pinpoint advanced adversaries and
attribution, and prevent damage from targeted attacks in real time.
About CrowdStrike Services
CrowdStrike Services is a wholly owned subsidiary of CrowdStrike responsible
for proactively defending against and responding to cyber incidents with pre
and post Incident Response services. CrowdStrike’s seasoned team of Cyber
Intelligence professionals, Incident Responders, and Malware Researchers
consists of a number of internationally recognized authors, speakers, and experts
who have worked on some of the most publicized and challenging intrusions and
malware attacks in recent years. The CrowdStrike Services team leverages our
Security Operations Center to monitor the full CrowdStrike Falcon Platform and
provide cutting-edge advanced adversary intrusion detection services. The full
spectrum of proactive and response services helps customers respond tactically
as well as continually mature and strategically evolve Incident Response
program capabilities.
60
For more information on the intelligence provided in this report or on
any of the 70+ actors tracked by the CrowdStrike Global Intelligence team,
contact us at [email protected]
To learn more about the CrowdStrike Falcon Platform or
CrowdStrike Services, contact us at [email protected].
www.crowdstrike.com | @CrowdStrike

CrowdStrike Intelligence Report

Transcription

Similar documents

eq power point - desmarais - ATD SF East Bay

customer intelligence through new eyes through

Through a Scanner Darkly Adventures in the land of the spooks

EQ Power Intro Powerful8 e v1_05052013

Enterprise Mission Management Toolkit (eMTK) Datasheet

BI Brochure_A4 - 24-Mar-16 - Final

EMOTIONAL INTELLIGENCE:

Deliberately Innovative PSTN/IP LAN/WAN

PDF Brochure

Multiple Intelligence Survey for Kids